<html>
<head><meta charset="utf-8"><title>pinning stage0 hashes · t-release · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/index.html">t-release</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html">pinning stage0 hashes</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="246715315"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246715315" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246715315">(Jul 21 2021 at 12:59)</a>:</h4>
<p>I've been thinking lately about improving the security of rust's supply chain, and a thing that came to mind are the stage0 compilers downloaded by x.py</p>



<a name="246715467"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246715467" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246715467">(Jul 21 2021 at 13:00)</a>:</h4>
<p>right now x.py unconditionally downloads the compiler binaries from (dev-)static.rust-lang.org, without performing any check on whether they're the binaries we expect</p>



<a name="246715595"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246715595" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246715595">(Jul 21 2021 at 13:00)</a>:</h4>
<p>and I'm wondering whether it makes sense to have <code>src/stage0.sha256</code>, with the hashes of all the tarballs x.py could download</p>



<a name="246715741"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246715741" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246715741">(Jul 21 2021 at 13:01)</a>:</h4>
<p>(then we'd have a tool to bump both the stage0 and update the <code>.sha256</code> file, instead of manually changing the stage0 file)</p>



<a name="246715931"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246715931" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246715931">(Jul 21 2021 at 13:03)</a>:</h4>
<p>IMO that would reduce a possible attack vector without adding too much complexity for us when updating the stage0 (as long as a tool is present to do the bump and collect the hashes for us)</p>



<a name="246715938"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246715938" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246715938">(Jul 21 2021 at 13:03)</a>:</h4>
<p>thoughts?</p>



<a name="246716464"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246716464" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246716464">(Jul 21 2021 at 13:08)</a>:</h4>
<p>I think it adds complexity (makes it harder to bump stage 0 locally for example for testing, at least by adding a tool rather than just a simpler bump) and I'm not really sure what this truly helps with. If you can't trust your ssl connection (and IIRC we require ssl on this) then you likely can't get a rust repository either securely...</p>
<p>I think it's also pretty uncommon, and I at least would prefer to avoid engineering solutions like this without a write up of our presumed threat vectors and such, so that we can address the right things.</p>
<p>Regardless, I would say a mild blocker on this is to stop bumping stage 0 manually entirely, across channels, in which case it matters much less what the tool etc is</p>



<a name="246716510"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246716510" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246716510">(Jul 21 2021 at 13:08)</a>:</h4>
<p><span class="user-mention silent" data-user-id="121055">Pietro Albini</span> <a href="#narrow/stream/241545-t-release/topic/pinning.20stage0.20hashes/near/246715467">said</a>:</p>
<blockquote>
<p>right now x.py unconditionally downloads the compiler binaries from (dev-)static.rust-lang.org, without performing any check on whether they're the binaries we expect</p>
</blockquote>
<p>But if it's HTTPs, don't we already know that it is from us? I'm not sure I see the attack vector. Like yes someone could upload malicious stage0 compiler, but if that person could do that, couldn't they also upload the hashes of the new malicious compiler?</p>



<a name="246716517"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246716517" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246716517">(Jul 21 2021 at 13:08)</a>:</h4>
<p>Ideally that's "rustbot posts a PR for our review" but I'd be ok with "there's a tool you run"</p>



<a name="246716922"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246716922" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246716922">(Jul 21 2021 at 13:12)</a>:</h4>
<p><span class="user-mention silent" data-user-id="219696">XAMPPRocky</span> <a href="#narrow/stream/241545-t-release/topic/pinning.20stage0.20hashes/near/246716510">said</a>:</p>
<blockquote>
<p>But if it's HTTPs, don't we already know that it is from us? I'm not sure I see the attack vector. Like yes someone could upload malicious stage0 compiler, but if that person could do that, couldn't they also upload the hashes of the new malicious compiler?</p>
</blockquote>
<p>the access control for uploading files to <a href="http://static.rust-lang.org">static.rust-lang.org</a> is different than being able to land code in rust-lang/rust</p>



<a name="246717048"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717048" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Silverstone <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717048">(Jul 21 2021 at 13:13)</a>:</h4>
<p>Rather than hashes, could you go with signature files and verify those?</p>



<a name="246717138"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717138" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Silverstone <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717138">(Jul 21 2021 at 13:14)</a>:</h4>
<p>That wouldn't need extra complications to the update, but it would need those tarballs to be signed and the signatures to be stored on static.rlo</p>



<a name="246717164"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717164" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Silverstone <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717164">(Jul 21 2021 at 13:14)</a>:</h4>
<p>https can be man-in-the-middle'd</p>



<a name="246717202"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717202" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717202">(Jul 21 2021 at 13:14)</a>:</h4>
<p>Oh I see, in your proposal the hashes are stored separately in the repo.</p>



<a name="246717218"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717218" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717218">(Jul 21 2021 at 13:15)</a>:</h4>
<p>the hashes would be stored in rust-lang/rust</p>



<a name="246717273"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717273" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717273">(Jul 21 2021 at 13:15)</a>:</h4>
<p>we already sign the tarballs, but verifying gpg signatures would re<br>
<span class="user-mention silent" data-user-id="223910">Daniel Silverstone</span> <a href="#narrow/stream/241545-t-release/topic/pinning.20stage0.20hashes/near/246717048">said</a>:</p>
<blockquote>
<p>Rather than hashes, could you go with signature files and verify those?</p>
</blockquote>
<p>we already sign the tarballs, but verifying gpg signatures would require to have gpg installed on the local machine, which IMO we should avoid</p>



<a name="246717495"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717495" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717495">(Jul 21 2021 at 13:17)</a>:</h4>
<p>Can <a href="https://sequoia-pgp.org/">https://sequoia-pgp.org/</a> be used for verifying gpg signatures? It is written in rust.</p>



<a name="246717510"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717510" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717510">(Jul 21 2021 at 13:17)</a>:</h4>
<p>I guess my worry is that in practice I think the acl is similar for the bucket and the repository; essentially for these files it's mark + pietro. if either one of us is "hacked" or whatever, it seems likely that the tool we run would a) upload a back file to the bucket and b) put the new hash in the file</p>



<a name="246717555"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717555" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717555">(Jul 21 2021 at 13:17)</a>:</h4>
<p>I don't think we need to do signature verification, there's really no advantage to that over hashes for our purposes I think?</p>



<a name="246717694"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717694" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717694">(Jul 21 2021 at 13:18)</a>:</h4>
<p>the advantage of signature verification is it would require no workflow change, as we would just store the gpg key in the rustc repo and it would automatically trust the right builds without having to manually update the pinned hashes</p>



<a name="246717759"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717759" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717759">(Jul 21 2021 at 13:19)</a>:</h4>
<p>hm</p>



<a name="246717779"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717779" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717779">(Jul 21 2021 at 13:19)</a>:</h4>
<p>but it requires gpg to be installed on the local machine (unless we change how we sign releases as a whole), and well, it's hard to compile sequoia-gpg when we still need to download rust <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span></p>



<a name="246717839"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717839" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717839">(Jul 21 2021 at 13:19)</a>:</h4>
<blockquote>
<p>and well, it's hard to compile sequoia-gpg when we still need to download rust <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span></p>
</blockquote>
<p><span aria-label="face palm" class="emoji emoji-1f926" role="img" title="face palm">:face_palm:</span></p>



<a name="246717932"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246717932" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246717932">(Jul 21 2021 at 13:20)</a>:</h4>
<p>I definitely don't think we should force people to download or compile sequoia to build rust, that seems excessive</p>



<a name="246718091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Silverstone <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718091">(Jul 21 2021 at 13:21)</a>:</h4>
<p>One option is to use gpg/gpgv if present, and permit a <code>--no-pgp-verification</code> option to skip it if the tools are not present.</p>



<a name="246718174"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718174" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718174">(Jul 21 2021 at 13:22)</a>:</h4>
<p>I don't think anything that the average user either a) needs to install a tool for or b) needs to pass an option for is viable</p>



<a name="246718175"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718175" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Silverstone <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718175">(Jul 21 2021 at 13:22)</a>:</h4>
<p>Many people will have, or can easily install, gpg/gpgv/sq/whatever, and those who don't only need to pass that once to initialise without verification and be no worse off than now.</p>



<a name="246718204"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718204" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Silverstone <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718204">(Jul 21 2021 at 13:22)</a>:</h4>
<p>Do we honestly think people who work on the compiler can't pass a flag to x.py once ?</p>



<a name="246718232"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718232" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718232">(Jul 21 2021 at 13:22)</a>:</h4>
<p>iirc on windows gpg is way more of a pain than on linux</p>



<a name="246718299"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718299" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718299">(Jul 21 2021 at 13:23)</a>:</h4>
<p>Also a huge pain on macOS. Everytime I install it I regret it.</p>



<a name="246718324"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718324" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718324">(Jul 21 2021 at 13:23)</a>:</h4>
<p>I mean I regret it on linux too <span aria-label="upside down" class="emoji emoji-1f643" role="img" title="upside down">:upside_down:</span></p>



<a name="246718398"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718398" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Silverstone <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718398">(Jul 21 2021 at 13:23)</a>:</h4>
<p>I guess I am unusual, the idea of having a system incapable of verifying signatures is anathema to me <span aria-label="grinning" class="emoji emoji-1f600" role="img" title="grinning">:grinning:</span></p>



<a name="246718525"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718525" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Silverstone <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718525">(Jul 21 2021 at 13:24)</a>:</h4>
<p>Though we could use another simpler signing tool which perhaps can exist in source form in the rust repo if we wanted to</p>



<a name="246718766"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246718766" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> XAMPPRocky <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246718766">(Jul 21 2021 at 13:26)</a>:</h4>
<p><span class="user-mention silent" data-user-id="223910">Daniel Silverstone</span> <a href="#narrow/stream/241545-t-release/topic/pinning.20stage0.20hashes/near/246718398">said</a>:</p>
<blockquote>
<p>I guess I am unusual, the idea of having a system incapable of verifying signatures is anathema to me <span aria-label="grinning" class="emoji emoji-1f600" role="img" title="grinning">:grinning:</span></p>
</blockquote>
<p>It's different tools on Windows &amp; Mac. On the Mac it's called <code>codesign</code>.</p>



<a name="246719045"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246719045" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246719045">(Jul 21 2021 at 13:28)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116122">simulacrum</span> <a href="#narrow/stream/241545-t-release/topic/pinning.20stage0.20hashes/near/246717510">said</a>:</p>
<blockquote>
<p>I guess my worry is that in practice I think the acl is similar for the bucket and the repository; essentially for these files it's mark + pietro. if either one of us is "hacked" or whatever, it seems likely that the tool we run would a) upload a back file to the bucket and b) put the new hash in the file</p>
</blockquote>
<p>I don't think it's necessary true: a change to rust-lang/rust would have to go through code review even if our aws credentials get compromised</p>



<a name="246719121"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246719121" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246719121">(Jul 21 2021 at 13:28)</a>:</h4>
<p>and having the hashes pinned in the git repository would prevent builds of existing, known-good commits from ever being compromised</p>



<a name="246719146"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246719146" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246719146">(Jul 21 2021 at 13:29)</a>:</h4>
<p>I'm saying that there's no way for you or anyone to verify that hash</p>



<a name="246719161"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246719161" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246719161">(Jul 21 2021 at 13:29)</a>:</h4>
<p>the only thing you really prevent is historical compromise</p>



<a name="246719764"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246719764" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246719764">(Jul 21 2021 at 13:33)</a>:</h4>
<p>and I'm not convinced that this is the way to solve that - we could mirror the whole set of sha256 files to a git repository, for example, and run a job verifying hashes every so often</p>



<a name="246721364"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246721364" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246721364">(Jul 21 2021 at 13:45)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116122">simulacrum</span> <a href="#narrow/stream/241545-t-release/topic/pinning.20stage0.20hashes/near/246719146">said</a>:</p>
<blockquote>
<p>I'm saying that there's no way for you or anyone to verify that hash</p>
</blockquote>
<p>once we get reproducible builds ironed out (dunno what the status of that is) we should definitely be able to verify at least some of the hashes</p>



<a name="246721731"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246721731" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246721731">(Jul 21 2021 at 13:48)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116122">simulacrum</span> <a href="#narrow/stream/241545-t-release/topic/pinning.20stage0.20hashes/near/246719161">said</a>:</p>
<blockquote>
<p>the only thing you really prevent is historical compromise</p>
</blockquote>
<p>I would say it prevents the compromise of every clone of rustc up until the attacker manages to land a reviewed PR updating the pinned hashes</p>



<a name="246721812"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246721812" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246721812">(Jul 21 2021 at 13:49)</a>:</h4>
<p>and even if the attacker manages to land a compromised stage0.sha256 we know exactly which commits of rustc are affected or not</p>



<a name="246721856"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246721856" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246721856">(Jul 21 2021 at 13:49)</a>:</h4>
<p>it's trust on first use, yes, but it still provides way more guarantees than what's present today</p>



<a name="246729484"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246729484" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246729484">(Jul 21 2021 at 14:44)</a>:</h4>
<p>I suppose that's true</p>



<a name="246729551"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246729551" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246729551">(Jul 21 2021 at 14:45)</a>:</h4>
<p>in any case, not really opposed, I think it'll be an easier sell if the tool that updates the sha256 file also automagically discovers the right date (which is currently a bit of a pain)</p>



<a name="246729813"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246729813" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246729813">(Jul 21 2021 at 14:47)</a>:</h4>
<p>I need to double-check, but I'll likely be able to dedicate time to an impl of the tool</p>



<a name="246983846"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246983846" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246983846">(Jul 23 2021 at 14:23)</a>:</h4>
<p>btw I checked, and I'll definitely be able to spend work time on implementing this</p>



<a name="246995844"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246995844" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> tmandry <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246995844">(Jul 23 2021 at 15:56)</a>:</h4>
<p><a href="https://slsa.dev/">https://slsa.dev/</a> has a good writeup on different kinds of attack vectors like this</p>



<a name="246995915"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246995915" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> tmandry <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246995915">(Jul 23 2021 at 15:57)</a>:</h4>
<p>with examples of each happening 'in the wild"</p>



<a name="246996187"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246996187" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> tmandry <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246996187">(Jul 23 2021 at 15:59)</a>:</h4>
<p>personally I agree that this would be worthwhile, provided we can find a way to accommodate existing workflows etc.</p>



<a name="246996279"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246996279" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> tmandry <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246996279">(Jul 23 2021 at 16:00)</a>:</h4>
<p>I think if someone is using a custom stage0 they should just have a way to disable verification. it might be something they built themselves and wasn't signed by us, for instance</p>



<a name="246996577"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246996577" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246996577">(Jul 23 2021 at 16:01)</a>:</h4>
<p>You would use <code>./configure --local-rust-root</code> or similar for that, right?</p>



<a name="246996595"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246996595" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> tmandry <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246996595">(Jul 23 2021 at 16:01)</a>:</h4>
<p>(people who really care about supply chain attacks are already doing this themselves, to some extent, with their own bootstrapping)</p>



<a name="246996608"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246996608" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246996608">(Jul 23 2021 at 16:01)</a>:</h4>
<p>that should absolutely be exempt from any hash checking</p>



<a name="246996809"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246996809" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246996809">(Jul 23 2021 at 16:03)</a>:</h4>
<p>Using a custom stage0 happens through the <code>rustc</code> and <code>cargo</code> fields in <code>config.toml</code>, right? The presence of these fields should be enough to disable verification, right? Or do the verification during downloading of stage0 which doesn't happen when you use <code>rustc</code> and <code>cargo</code>.</p>



<a name="246997007"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246997007" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246997007">(Jul 23 2021 at 16:04)</a>:</h4>
<p>doing this during download or right before extract makes sense, and would avoid the custom cases</p>



<a name="246997385"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/241545-t-release/topic/pinning%20stage0%20hashes/near/246997385" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/241545-t-release/topic/pinning.20stage0.20hashes.html#246997385">(Jul 23 2021 at 16:07)</a>:</h4>
<p>yeah I was planning to do this before extracting the downloaded tarballs</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>